Microsoft SharePoint Server contains an improper input validation vulnerability that allows an unauthorized attacker to perform spoofing over a network.

The vulnerability affects older Microsoft Products including::

• Microsoft SharePoint Enterprise Server 2016 (x64-based System)
  o Version affected from 16.0.0 before 16.0.5548.1003
• Microsoft SharePoint Server 2019 (x64-based System)
  o Version affected from 16.0.0 before 16.0.10417.20114
• Microsoft SharePoint Server Subscription Edition (x64-based System)
  o Version affected from 16.0.0 before 16.0.19725.20210

Exploitation is network-based and does not require prior authentication.

Typical exploitation flow:

1.1. Target identification

• Attacker locates exposed SharePoint servers on internal or external networks.

2. Crafted request submission

• Malicious HTTP requests are sent with manipulated or malformed input fields. /li>

3. Bypassing input validation

• The system incorrectly interprets the attacker’s input as trusted data, allowing:
•  Forged user identities

•  Manipulated session or request context

•  Unauthorized actions performed as another user or system component

4. Request or identity spoofing

• Attacker overwrites memory and executes code with SYSTEM privileges.

5. Worm propagation (common in real attacks)

• Malware automatically spreads to other vulnerable systems across the network.

Successful exploitation of this vulnerability may allow attackers to:

• Execute arbitrary code remotely with SYSTEM privileges
• Install malware or worm payloads
• Fully compromise affected systems
• Spread laterally across internal networks
• Disrupt services and cause large-scale outages

CERTVU recommends the following:

Apply Microsoft Security Updates (Critical)

• Install the latest SharePoint Server security patches provided by Microsoft
• Ensure all farm servers are updated consistently